Incident Campaigns
The quiz tells you who you are. Campaigns let you do the job. Work a live incident from the first alert to the after-action review — every choice has a consequence, and there's more than one way it can end.
Blue Team Track
Defensive — detection, response, and forensics
The 2AM Alert
An EDR alert fires at 2am: PowerShell spawned from Word on a finance workstation. Work the incident — every choice trades speed against intel against containment.
The Reported Email
A user reports a suspicious DocuSign email. Is it one phish or a whole campaign? Balance rigor, containment, and the trust of the person who reported it.
Friday Afternoon Encryption
Ransomware is encrypting a file share in real time. Contain the spread, preserve the evidence, and protect your path to recovery — without making it worse.
The Departing Employee
DLP flags a huge upload from someone who resigned last week. Build a case the right way: preserve evidence, stay discreet, and don’t jump to conclusions.
Red Team Track
Offensive — recon, exploitation, and social engineering
The Pretext
Design and run a social-engineering op for initial access. The most effective lure and the most ethical one aren’t always the same — and the targets are real people.
The Foothold
You have initial access on an engagement and need to reach Domain Admin. Trade stealth against speed — go loud and the SOC catches you, go quiet and you might just ghost them.
Out of Bounds
Mid-engagement, you find a path into a system that’s out of scope. The same action is a brilliant finding or a crime — the only difference is authorization. Hold the line.
Domain Admin or Bust
Reach the objective — but the client asked for a realistic detection test, not a speed-run. Decide what “winning” actually means when the flag isn’t the point.
Purple Team Track
Collaboration — emulation, detection engineering, and GRC
Attack & Detect
Run ATT&CK techniques with the blue team in the room, then close the gaps together. Find the misses — without turning the session into a gotcha.
The Tabletop
Facilitate an incident tabletop with execs in the room. The exercise lives or dies on psychological safety — make it a performance review and every real gap stays hidden.
The Findings Handoff
Forty red-team findings, a bruised blue team, and thin remediation time. Turn the report into prioritized, validated, owned fixes — not a backlog that rots.
Assumed Breach Drill
Run an assumed-breach exercise to measure detect-and-respond times. The temptation is a contest red can win; the goal is honest numbers you can actually trust.